RSAENVISIO-Event Explorer Lab: Run a Command

Event Explorer Lab: Run a Command

 Enable an analyst with the power to quickly launch an external application from within Event Explorer. Targets could include custom in house scripts or NetWitness integration.

 In this exercise you will create a custom run command that will initiate a geolocation IP lookup from Event Explorer.

 1. Create a new batch file on the Desktop called:

- ipinfodb.cmd

2. Right click on the file, select �Edit with Notepad++‖, and enter the following code:

@echo off

REM Takes variable %ipaddress% and using Internet Explorer

REM submits this against the ipinfodb.com website.

set ipaddress=%1

start iexplore http://ipinfodb.com/ip_locator.php?ip=%ipaddress%

exit.

3. Log into Event Explorer

4. Click Tools > Command Manager

5. Click the New Command button.

6. Click the File Browse button and navigate to the Desktop (where you created the ipinfodb.cmd file). Select the file and click OK.

 7. Click OK again to return to the main Event Explorer workbench.

8. ALT+Click on a data point in one of your Trace Views, to bring up the detailed data for that point.

9. In the Data Point window: Right-Click on an IP Address in the DestinationAddress column, hover over Run, and finally select the ipinfodb.cmd option.

Exercise Complete: This will run the batch script created earlier. The script will load Internet

Explorer and navigate to the URL specified in the script. Note how the IP address is included.

 

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)